CVE-2026-2005

PostgreSQL pgcrypto heap buffer overflow executes arbitrary code

Published: 2/12/2026 Last updated: 2/26/2026 Reserved: 2/5/2026

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CNA assigner: PostgreSQL (f86ef6dc-4d3a-42ad-8f28-e6d5547a5007) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	8.8	High	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Opam packages affected (5)

conf-mingw-w64-postgresql-i686 conf-mingw-w64-postgresql-x86_64 conf-postgresql ocsigen-start postgresql

Products affected (1)

Product	Vendor	Version
PostgreSQL	n/a	<= *

References (2)

https://www.postgresql.org/support/security/CVE-2026-2005/
https://www.postgresql.org/support/security/CVE-2026-2005/

Credits (2)

The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for reporting this problem.
The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for reporting this problem.